cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3151
Views
0
Helpful
2
Replies
Highlighted
Beginner

ASA LDAP is not finding memberOf Active Directory group Domain Users

It seems no matter what group I add an account to the ldap memberOf finds it except for the Domain Users group. Is there a specific exclusion of this group somewhere? It doesn't appear to be an issue with the space in the name because if I test with other default groups like Domain Admins it works. I am getting the same result from both the ldap attribute map as well as trying to use the Domain Users group in a DAP policy. A debug ldap 255 returns every other group membership for an account except for Domain Users.

When I issue the command 'sh ad-group LDAP filter "Domain " ' the Domain Users group is in the results list, so it is able to see it and it exists.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

ASA LDAP is not finding memberOf Active Directory group Domain U

Please see the attached link under primaryGroupID, which states that the
Domain Users group is not part of the memberOf attribute.
http://msdn.microsoft.com/en-us/library/ms677943.aspx

That explains why the mapping fails for any Domain Users as seen in the debugs

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

ASA LDAP is not finding memberOf Active Directory group Domain U

Please see the attached link under primaryGroupID, which states that the
Domain Users group is not part of the memberOf attribute.
http://msdn.microsoft.com/en-us/library/ms677943.aspx

That explains why the mapping fails for any Domain Users as seen in the debugs

View solution in original post

Highlighted
Beginner

Re: ASA LDAP is not finding memberOf Active Directory group Doma

Thanks for the info. Based on your input I have created 2 different DAPs, one using the primaryGoupID of 513 to capture the standard account Domain Users and one that uses memberOf = Domain Users for any accounts that might have had there primaryGroupID changed. It seems to be working.